[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: vnconfig with additional keyfile
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: vnconfig with additional keyfile
- From: Marcus Popp <marcus_(_dot_)_popp_(_at_)_paranoidbsd_(_dot_)_org>
- Date: Wed, 26 Oct 2005 01:37:56 +0200
Hello,
i have thought about my patch again and come to the conclusion it's
just a hack. There should be a separate tool (svndctl) which supports
aes and bf encryption (with different key length).
Furthermore it should be possible to change the password for a
key file, so if I think my password is sniffed over my shoulder
=> I could easily change it.
But I think it's behind my programming skills.
Even better would be a kernel support for the svndctl functionality.
So OpenBSD could provide and easy root partition encryption!
But this is way behind my programming skills.
I know "Shut up and hack". But i cannot hack the support,
so I just shut up.
so long,
Marcus.
On Sunday 23 October 2005 22:34, Marcus Popp wrote:
> Hi,
>
> i've made the attached patch for vnconfig.c to allow an additional
> keyfile. This way I can build up a two way authentication (keyfile on
> my usb stick) and can use a really long encryption key.
> usage: vnconfig -K /path/key svnd0 /path/secret
>
> My diff was inspired by the code of tedu@ and Nikolai Fetissov.
> I'm not a c-guru => fixes welcome.
>
> I would provide diffs for the manual pages, if somebody cares.
>
> so long,
>
> Marcus.
>
> --- vnconfig.org Sun Oct 23 00:47:11 2005
> +++ vnconfig.c Sun Oct 23 22:25:16 2005
> @@ -42,6 +42,8 @@
> #include <sys/mount.h>
> #include <sys/stat.h>
>
> +#include <crypto/blf.h>
> +
> #include <dev/vndioctl.h>
>
> #include <err.h>
> @@ -60,11 +62,14 @@
> #define VND_UNCONFIG 2
> #define VND_GET 3
>
> +#define KEY_LEN (_PASSWORD_LEN+1)
> +
> int verbose = 0;
>
> __dead void usage(void);
> int config(char *, char *, int, char *);
> int getinfo(const char *);
> +char* computekey(const char *);
>
> int
> main(int argc, char **argv)
> @@ -72,7 +77,7 @@
> int ch, rv, action = VND_CONFIG;
> char *key = NULL;
>
> - while ((ch = getopt(argc, argv, "cluvk")) != -1) {
> + while ((ch = getopt(argc, argv, "cluvkK:")) != -1) {
> switch (ch) {
> case 'c':
> action = VND_CONFIG;
> @@ -86,6 +91,9 @@
> case 'v':
> verbose = 1;
> break;
> + case 'K':
> + key = computekey(optarg);
> + break;
> case 'k':
> key = getpass("Encryption key: ");
> break;
> @@ -208,7 +216,52 @@
>
> (void)fprintf(stderr,
> "usage: %s [-c] [-vk] rawdev regular-file\n"
> + " %s [-c] [-vK] key-file rawdev regular-file\n"
> " %s -u [-v] rawdev\n"
> - " %s -l [rawdev]\n", __progname, __progname, __progname);
> + " %s -l [rawdev]\n", __progname, __progname, __progname,
> __progname); exit(1);
> +}
> +
> +char*
> +computekey(const char *filename)
> +{
> + static char key[KEY_LEN+1];
> + char *keybuf;
> + char encbuf[128];
> + FILE *f;
> +
> + keybuf = getpass("Encryption key: ");
> + if (!keybuf || strlen(keybuf) == 0)
> + errx(1 ,"Need an encryption key!");
> + else
> + strncpy(encbuf, keybuf, sizeof(encbuf));
> +
> + bzero(key, KEY_LEN);
> +
> + if (verbose)
> + printf("reading key from %s\n", filename);
> +
> + f = fopen(filename, "r");
> + if (f == NULL)
> + err(1, "Unable to open: %s", filename);
> + if (fgets(key, KEY_LEN, f) == NULL) {
> + fclose(f);
> + err(1, "file: %s is empty!", filename);
> + } else {
> + // remove newline
> + int len = strlen(key);
> + if (len > 0 && key[len-1] == '\n')
> + key[len-1] = '\0';
> + }
> + fclose(f);
> +
> + if (strlen(key) <= 1)
> + errx(1, "empty key from %s", filename);
> +
> + if (verbose)
> + printf("generating key\n");
> + blf_ctx c;
> + blf_key(&c, (u_int8_t *) encbuf, strlen(encbuf));
> + blf_enc(&c, (u_int32_t *) key, KEY_LEN);
> + return (key);
> }
Visit your host, monkey.org